Skip to main content
Published: January 14 2008, 12:15:00 PMUpdated: November 28 2020, 4:04:48 PM

Notification signatures sent with a notification should be verified. Here's how to do it in PHP.

When eBay sends you a notification, it also sends you a "signature" field in the SOAP header. This signature field is derived from four items :
- Your DevID
- Your AppID
- Your CertID
- Timestamp of the notification

The first three items constitute your keyset (sandbox or production).
 

You know your keyset (and should be kept confidential), and the timestamp is in the SOAP body. Here's how to verify with PHP code that the notification signature is valid :


CODE

<?php 
    
    
    

// Sample keyset values. Use sandbox or production values
$devid = 'YOUR-VALUE-9a66-3f359d933e5d';
$appid = 'YOUR-VALUE-abf3-92bdc3bcd29d';
$certid = 'YOUR-VALUE-43b2-b306-c537a0c83e7f';

// These two values are pulled from the notification SOAP payload
// You need to parse these values from the returned XML
// This comes from SOAP Header NotificationSignature field
$sigNote = 'boVG+scoxB694oFeCgUHGw==';
// This comes from SOAP Body Timestamp field
$ebayTimestamp = '2008-01-14T18:35:50.478Z';

//The code to calculate the signature looks like this:
$md5_Str = $ebayTimestamp . $devid . $appid . $certid;
$sigCalc = base64_encode(pack("H*", md5($md5_Str))); // 'H*' means hex string, to end of data

// These two values should be equal
print "sigNote = $sigNote \n"; // signature from notification (parsed XML)
print "sigCalc = $sigCalc \n\n"; // signature calculated from your keyset & timestamp

if ($sigNote == $sigCalc) {
print "Two signatures are equivalent -- valid notification. \n";
} else {
print "Payload and calculated signatures differ - invalid notification \n";
}

?>


OUTPUT

    
    
    
C:\>php CalcSig.php
sigNote = boVG+scoxB694oFeCgUHGw==
sigCalc = boVG+scoxB694oFeCgUHGw==

Two signatures are equivalent -- valid notification.

C:\>

How well did this answer your question?
Answers others found helpful